Differential phase shift keying quantum key distribution

ABSTRACT

Differential phase shift (DPS) quantum key distribution (QKD) is provided, where the average number of photons per transmitted pulse is predetermined such that the secure key generation rate is maximal or nearly maximal, given other system parameters. These parameters include detector quantum efficiency, channel transmittance and pulse spacing (or clock rate). Additional system parameters that can optionally be included in the optimization include baseline error rate, sifted key error rate, detector dead time, detector dark count rate, and error correction algorithm performance factor. The security analysis leading to these results is based on consideration of a hybrid beam splitter and intercept-resend attack.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a 371 of PCT Patent Application PCT/US2005/040428filed Nov. 4, 2005.

FIELD OF THE INVENTION

This invention relates to quantum key distribution for cryptography.

BACKGROUND

The use of a one time pad protocol based on a shared secret key is ofspecial interest in cryptography, since it can provide unbreakableencryption. However, messages encrypted with this protocol can bedecrypted by anyone in possession of the key, so the protocolvulnerability depends on the security of key distribution. It is helpfulto formulate the key distribution problem in the following standardmanner. Alice and Bob communicate with each other via a channel. Aneavesdropper Eve has full access to the channel. Eve can receive, tapand/or intercept signals from Alice and Bob, and can also send signalsto Alice and Bob. Signals between Alice and Bob can include keyinformation and/or encrypted messages.

Quantum key distribution (QKD) is of special significance, since it canprovide provably secure key distribution over a compromised channel. Themain idea of quantum key distribution is that Eve's actions inmonitoring signals from Alice and Bob cannot be performed withoutmodifying these signals. In other words, an “undetectable tap” does notphysically exist. This perturbation of the signals is aquantum-mechanical effect, and key distribution protocols based onvarious kinds of quantum states have been proposed. Examples include theuse of entangled states, non-orthogonal states, orthogonal states (U.S.Pat. No. 6,188,768), and states from single-photon sources (US2005/0094818). The various QKD methods differ significantly in terms oftheir performance (as measured by secure key distribution rate) andtheir technical requirements (which affect cost). In fact, US2005/0152540 proposes a hybrid key distribution scheme to use a shortkey (distributed by a slow QKD method) to provide fast and secure keydistribution.

For simplicity, it is preferable to employ a QKD method that candirectly provide fast and secure key distribution without excessive cost(e.g., preparation of exotic quantum states). A promising approach isdifferential phase shift (DPS) QKD, which was proposed in connectionwith a single photon source by Inoue et al., Phys. Rev. Lett., 89(3),037902, 2002. DPS QKD was extended to pulses from a coherent source byInoue et al. in Phys. Rev. A, 68, 022317, 2003. Although thesereferences indicate that DPS QKD can outperform conventional QKDprotocols such as BB84 and B92, a full security analysis of DPS QKD isnot provided in this work. Without such an analysis, it is not clear howto maximize (or nearly maximize) the secure key distribution rate forDPS QKD given various system parameters (e.g., transmission loss,detector efficiency, etc.).

Accordingly, it would be an advance in the art to provide DPS QKD thatcan be tailored to maximize (or nearly maximize) the secure keydistribution rate.

SUMMARY

The present invention addresses this need by providing DPS QKD where theaverage number of photons per transmitted pulse is predetermined suchthat the secure key generation rate is maximal or nearly maximal, givenother system parameters. These parameters include detector quantumefficiency, channel transmittance and pulse spacing (or clock rate).Additional system parameters that can optionally be included in theoptimization include baseline error rate, sifted key error rate,detector dead time, detector dark count rate, and error correctionalgorithm performance factor. The security analysis leading to theseresults is based on consideration of a hybrid beam splitter andintercept-resend attack.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a QKD system according to an embodiment of the invention.

FIG. 2 shows a QKD method according to an embodiment of the invention.

FIG. 3 is a comparison of experimental and calculated key generationrates for various QKD methods, including some embodiments of theinvention.

DETAILED DESCRIPTION

FIG. 1 shows a QKD system according to an embodiment of the invention.The system of FIG. 1 has a transmitter 110 (Alice) in communication witha receiver 120 (Bob) over a channel 130. As indicated above, aneavesdropper (Eve) is assumed to have full access to channel 130.Transmitter 110 includes a source of coherent light 112, a phasemodulator 114 and an attenuator 116. Source 112 emits pulses of coherentlight having a pulse spacing (or period) T. The use of coherent light(as opposed to more exotic quantum states such as single-photon orentangled states) is an advantage of the invention. Source 112 can be apulsed laser, or it can be a CW laser having an intensity modulator atits output to form pulses, or it can be any other source that providespulses of coherent radiation.

In operation, phase modulator 114 is driven such that each pair oftime-adjacent pulses is either substantially in phase or substantiallyout of phase after modulation. This can be accomplished by randomlydriving phase modulator 114 to provide phase shifts of 0 and π (or ofany two phases separated by π). Alice makes a record of the modulationapplied to each pulse, for use in a later step of the protocol.

The purpose of attenuator 116 is to adjust the output pulse intensitysuch that the average number of photons per pulse μ is a predeterminedvalue less than unity. The selection of μ is an important aspect of theinvention, and will be considered in greater detail below. Broadlyspeaking, μ is the main parameter to vary in order to maximize thesecure key generation rate. If μ is too small, the key generation ratewill be very low because few photons are transmitted. If μ is too large,the secure key generation rate can decrease because Eve's attacks becomemore effective. Thus the selection of an optimal or near-optimal μdepends on a detailed analysis of the protocol and of various possibleattacks Eve can attempt.

Channel 130 can include free space and/or any medium (e.g., opticalfiber) suitable for transmission of radiation. The channel transmittanceα is a key system parameter. By definition α, is a power transmittance,so α=1 corresponds to no loss and α=0.1 if 10% of the transmitted powermakes it to the receiver. Optical losses in the receiver prior todetection can also be included in the α parameter.

In the receiver, an interferometer is formed by couplers 122 and 124 anda time delay element 126. Time delay element 126 provides a time delayof T (the pulse spacing). Such interferometers will be referred to asT-delay interferometers in the following description. The interferometercan be fabricated with planar lightwave technology (e.g., an unbalancedwaveguide Mach-Zehnder interferometer). Any other approach for providingan interferometer having a time delay of T is also suitable forpracticing the invention. The T-delay interferometer has two outputsconnected to detectors 127 and 128 (D1 and D2). If two adjacent pulsesare in phase, the demodulated pulse will appear at one of the twodetectors (e.g., D1), and if two adjacent pulses are out of phase, thedemodulated pulse will appear at the other of the two detectors (e.g.,D2). The roles of D1 and D2 can be reversed in other embodiments of theinvention.

Important detector parameters include quantum efficiency η, dead timet_(d), and dark count rate d. The quantum efficiency is the probabilityof detecting a single incident photon, and the dead time is the timeperiod immediately following detection of an input during which thedetector cannot respond to a second input. The dark count rate is therate at which the detector erroneously “detects” photons when no signallight is incident. Modeling real detectors in terms of η, t_(d) and d isan approximation which simplifies analysis and retains the importantphysics. Further simplification can be performed in some cases byneglecting the effect of d and/or t_(d). In general, detectors D1 and D2can have different quantum efficiencies η₁ and η₂ respectively, but itis preferred for the detectors to have the same quantum efficiency η andfor this quantum efficiency to be as high as possible.

Any device capable of detecting photons can be used for detectors D1 andD2. Suitable devices include photodiodes, avalanche photodiodes,photomultiplier tubes, upconversion detectors, superconductingtransition edge sensors, and solid state photomultipliers.

FIG. 2 shows steps of a QKD method according to an embodiment of theinvention. Step 202 is providing pulses of coherent light having a pulsespacing T (e.g., with source 112). Step 204 is randomly phase modulatingthe pulses (e.g., with modulator 114). Step 206 is adjusting the averagenumber of photons per pulse μ to provide maximal or near-maximal securekey generation rate (e.g., with attenuator 116). Step 208 istransmitting the pulses from Alice to Bob over a channel (e.g., channel130) having a transmittance α. Step 210 is demodulating the receivedpulses with a T-delay interferometer. Step 212 is detecting thedemodulated pulses to provide detection events. As indicated above, oneof the detectors will only receive light when two adjacent pulses are inphase, and the other detector will only receive light when the twoadjacent pulses are out of phase.

Step 214 is reporting the detection events to the transmitter. Morespecifically, the times at which photons are detected are reported toAlice by Bob. Since Alice has made a record of the modulation applied toeach pulse, she can deduce from the detection event times which detectorprovided each detection event. Alice will need to synchronize hermodulation record to the detection event times reported by Bob. Methodsfor performing such synchronization are well known in the art. The endresult of this procedure is that Alice and Bob have shared a key. Morespecifically, let a detection event from detector D1 be a “0” and adetection event from detector D2 be a “1” (or vice versa). The sequenceof 0s and 1s corresponding to the detection times reported by Bob is thekey. Bob knows this information directly, and Alice deduces it from thedetection event times and her modulation record.

It is clear that the above protocol allows Alice and Bob to share anidentical key. Furthermore, any attack by Eve will need to be relativelysophisticated, since the readily available information (i.e., the pulsesand the detection times) does not suffice to reconstruct the key.

The following security analysis is based on consideration of twopossible attacks by Eve. The first attack is based on using a beamsplitter (BS) to tap the channel. The second attack is anintercept-resend (I-R) attack, where Eve intercepts pulses from Aliceand sends pulses to Bob. These two attacks can be implemented togetheras a hybrid BS and I-R attack. As is customary in security analyses, theonly limits imposed on Eve's snooping are fundamental quantum-mechanicallimits. More specifically, it is assumed that Eve can replace the realchannel having transmittance α with a lossless channel and replace Bob'sreal detectors having quantum efficiency η<1 with ideal detectors havingη=1.

To set up the problem, it is assumed that prior to Eve's interference,the channel transmittance is α, the average number of photons per pulseis μ, both of Bob's detectors have a quantum efficiency of η, and thecoherence time of Alice's source is NT, where T is the pulse to pulsespacing. Thus the average photon number detected by Bob is μNαη, whilethe average photon number transmitted by Alice is μN. Eve receives μNphotons and splits off μNαη photons with a beam splitter fortransmission to Bob (using the lossless channel and ideal detectors) toduplicate the innocent channel loss. The remaining μN(1−αη) photons areavailable to Eve for attacking the key.

Eve can demodulate her photons with the same kind of receiver as Bob andobtain her sequence of detection events. However, Eve's detection eventswill only occasionally coincide with the detection events reported byBob (even after synchronizing both sequences to the same time origin).The probability of a coincidence is μ(1−αη), since Eve's detection of aphoton can occur at any time within the coherence time, which is spreadout over N pulse intervals.

Eve can improve her odds by storing her photons in a quantum memory.Once Bob announces the times at which detection events occur, Eve thendemodulates the stored photons with the same kind of receiver as Bob.The probability of a coincidence is 2μ(1−αη). The factor of twoimprovement arises because Eve is assumed to gate her interferometerwith an optical switch to only operate at desired times (i.e., thedetection event times reported by Bob). Since Bob's announcement of thedetection times can be delayed arbitrarily, Eve's quantum memory isassumed to have whatever coherence time is required.

For any detection event where Eve's detection time coincides with Bob'sreported time, Eve knows the associated bit of the key. Thus in a siftedkey having n_(sif) bits, Eve knows 2μn_(sif)(1−αη) bits. This mutualinformation between Eve and Bob is independent of α and η for αη<<1, anddecreases as μ decreases.

Eve can also implement an I-R attack by taking advantage of innocentsystem bit errors. Eve further splits some photons from the μNαη photonsallocated for transmission to Bob by Eve. Eve measures the phasedifferences of these intercepted photons in a T-delay interferometer.Detection of these photons by Eve leads to a sequence of interceptionevents. For each interception event, Eve transmits a single photon toBob which is split into two time slots in a T-delay interferometer. Therelative phase between the two time slots of the resent photon is set to0 or π according to Eve's measurement results. When this fake photon isreceived by Bob, it can be detected at three possible times: t1<t2<t3.The time t1 relates to taking the shorter path in both interferometers(Eve's and Bob's), the time t3 relates to taking the longer path in bothinterferometers, and the time t2 relates to taking the longer path inone interferometer and the shorter path in the other interferometer. Theprobabilities of detection at t1, t2, and t3 are ¼, ½, and ¼respectively.

If Bob detects the fake photon at times t1 or t3, there is nocorrelation between the phase modulation applied by Alice and which ofBob's detectors detects the fake photon. If Bob detects the fake photonat time t2, the proper correlation will occur between the phasemodulation applied by Alice and which of Bob's detectors detects thefake photon. Thus Eve's I-R attack introduces errors in the key. In anideal case where the innocent error rate is zero, this I-R attack can bediscovered by monitoring the error rate in the key and attributing anyfinite error rate to eavesdropping.

A more practical situation is where the system used by Alice and Bobprovides a nonzero innocent error rate e in the sifted key bits. It isassumed that Eve can substitute a perfect system having zero error ratefor this real system. Eve can then perform her I-R attack undetectably,provided the error rate induced by the I-R attack is e (so that Aliceand Bob do not notice any difference in error rate). In a sifted keyhaving n_(sif) bits, Eve can attack 4en_(sif) bits, since each fakephoton introduces an error with probability ¼. Since ½ of the fakephotons are detected at t2, Eve knows 2en_(sif) bits of the key as aresult of the I-R attack.

Based on the preceding considerations, the collision probability p_(c)between bits owned by Bob and Eve is given byp _(c)=2^(−n) ^(sif) ^((1−2μ(1−αη)−2e)),  (1)where both the beam splitter and intercept-resend attacks are accountedfor. The privacy amplification compression factor τ₁ is given by

$\begin{matrix}{\tau_{1} = {1 + {\frac{\log_{2}p_{c}}{n_{sif}}.}}} & (2)\end{matrix}$Assuming error correction and privacy amplification, the secure keygeneration rate R_(s) is given by

$\begin{matrix}\begin{matrix}{R_{s} = {R_{ng}\left\lbrack {1 - \tau_{1} + {{f(e)}\left( {{e\;\log_{2}e} + {\left( {1 - e} \right){\log_{2}\left( {1 - e} \right)}}} \right)}} \right\rbrack}} \\{= {R_{ng}\left\lbrack {1 - {2\;{\mu\left( {1 - {\alpha\;\eta}} \right)}} - {2\; e} +} \right.}} \\\left. {f(e)\left( {{e\;\log_{2}e} + {\left( {1 - e} \right){\log_{2}\left( {1 - e} \right)}}} \right)} \right\rbrack\end{matrix} & (3)\end{matrix}$where R_(ng) is the sifted key generation rate and f(e)≧1 characterizesthe performance of the error correction algorithm. The factor f(e)=1 isthe ideal limiting case where the number of error correction bits isequal to the Shannon limit. This factor is known as a function of e forvarious error correction algorithms, and is typically between 1 andabout 1.5.

The sifted key generation rate R_(ng) is given by

$\begin{matrix}{R_{ng} = {\left( \frac{{\mu\;\alpha\;\eta} + {2\; d}}{T} \right){\exp\left( {- \frac{\left( {{{\mu\alpha}\;\eta} + {2\; d}} \right)t_{d}}{2\; T}} \right)}}} & (4)\end{matrix}$where d is the detector dark count rate and t_(d) is the detector deadtime. As indicated above, the error rate e is the error rate in thesifted key bits. This error rate is given by

$\begin{matrix}{{e = \frac{{b\;\mu\;\alpha\;\eta} + d}{{\mu\;\alpha\;\eta} + {2\; d}}},} & (5)\end{matrix}$where b is the system baseline error rate. The baseline error rate b isthe system-level photon error rate and includes the effects of varioussystem non-idealities (e.g., imperfect state preparation, channel noise,alignment errors, imperfect detectors, etc.). If the dark count rate isnegligible, then e and b are approximately the same.

Based on this analytical framework, near optimal quantum keydistribution can be provided in the following manner. The systemparameters η, α, d, t_(d), T and b are assumed to be given. The givenquantities also include f(e), since the error correction algorithm beingemployed is a given, and f(e) depends only on this algorithm. From Eqs.3-5, the secure key generation rate R_(s)(μ) is known as a function ofμ, the average number of photons per pulse. Since the secure keygeneration rate goes to zero for both very small μ (i.e., μαη<<d) andfor large μ (i.e., μ>½), the secure key generation rate takes on amaximum value R_(max) at an optimal average number of photons per bitμ_(opt) (i.e., R_(s)(μ_(opt))=R_(max)). Preferably, μ is predeterminedsuch that R_(s)(μ) is greater than about 0.5 R_(max), and morepreferably, μ is predetermined such that R_(s)(μ) is greater than about0.8 R_(max).

The above analysis relates to a preferred embodiment of the invention.Other embodiments of the invention can be obtained by variousmodifications to the above analysis. For example, if the dark count rated is negligible, the sifted key generation rate is given approximatelyby R_(ng)=(μαη/T)exp(−μαηt_(d)/2T), and the sifted key error rate e isabout equal to b. If the sifted key error rate e is negligible, thesecure key generation rate is given approximately byR_(s)=R_(ng)(1-2μ(1−αη)). In cases where either (or both) of theseapproximations are valid, the optimization for μ can be based on theappropriately simplified expression for R_(s)(μ). The analysis can beexpressed in various mathematically equivalent forms, all of which areincluded in the invention. For example, the above equations can beexpressed in terms of the system clock rate f=1/T.

Other modifications of the analysis relate to the capabilities assumedfor Eve. For example, if Eve is not assumed to have access to a quantummemory having arbitrary coherence time, then the collision probabilityis given by p_(c)=2^(−n) ^(sif) ^((1−2μ(1−αη)−2e)), which leads tocorresponding changes in the remainder of the analysis. Similarly, ifEve is not assumed to be able to replace Bob's detectors with perfectdetector (without alerting Bob), the collision probability is given byp_(c)=2^(−n) ^(sif) ^((1−2μ(1−αη)−2e)), which also leads tocorresponding changes in the remainder of the analysis.

FIG. 3 is a comparison of experimental and calculated key generationrates for various QKD methods, including some embodiments of theinvention. Secure key generation rate is plotted as a function of fiberlength for various cases. The fiber is assumed to have a loss of 0.2dB/km and the baseline error rate b is assumed to be 3%. In theseexperiments, Alice's transmitter is an external cavity semiconductorlaser having a LiNbO₃ intensity modulator at its output to providepulses having a spacing T=1 ns. The pulse width is 100 ps. Attenuationas described above to optimize μ is performed at the transmitter. Theresulting optimal values of μ are in the range from about 0.16 to about0.18, depending on system parameters. The T-delay interferometer inBob's receiver is a planar lightwave circuit having an insertion loss of2.5 dB.

The following DPS QKD results are obtained with up-conversion detectors,where nonlinear mixing in a periodically poled lithium niobate waveguidebetween the received photons at 1560 nm and a strong pump wave at 1319nm generates sum frequency photons at 715 nm. The internal conversionefficiency between 1560 nm photons and 715 nm photons exceeds 99%. The715 nm photons are detected with a single photon counting module (SPCM)based on a silicon avalanche photodiode, which has a high quantumefficiency (about 70%), a low dark count rate (about 50 Hz) and a deadtime of 50 ns. The overall quantum efficiency of the up-conversiondetector can be varied by changing the 1319 nm pump power, and can be ashigh as 37%. However, a spurious nonlinear interaction in the waveguideoccurred, so the detector dark count rate increased quadratically as thepump power increased. It can be beneficial to accept a lower quantumefficiency in order to reduce the dark count rate in certain cases. Timegating (i.e., applying a time window to the recorded data beforeprocessing it) is employed to reduce the effect of detector timingjitter.

The squares show experimental DPS QKD results using fiber transmission,while the x marks show experimental DPS QKD results using an attenuatorto simulate fiber loss. These results were obtained with theupconversion detectors set to have η=8.8%. The time window was 0.6 ns,and the resulting dark count rate was 26 kHz. In each case, the averagenumber of photons per bit is optimized as described above to maximizeR_(s). Line 308 on FIG. 3 shows the calculated R_(max) as a function offiber length for these cases, and excellent agreement is seen betweentheory and experiment. The sifted key generation rate for η=8.8% isshown as line 302. Experimental data points are the result of averagingthe results of five individual runs. At fiber lengths of 30 km or less,the sifted key generation rate exceeded 1 Mbit/s. The secure keygeneration rate over 20 km of fiber was 0.455 Mbit/s.

The circle shows an experimental DPS QKD result using fibertransmission, while the +marks show experimental DPS QKD results usingan attenuator to simulate fiber loss. These results were obtained withthe upconversion detectors set to have η=2.0%. The time window was 0.2ns, and the resulting dark count rate was 2.7 kHz. In each case, theaverage number of photons per bit is optimized as described above tomaximize R_(s). Line 310 on FIG. 3 shows the calculated R_(max) as afunction of fiber length for these cases, and excellent agreement isseen between theory and experiment. The sifted key generation rate forη=2.0% is shown as line 304. Experimental data points are the result ofaveraging the results of five individual runs. Here the secure keygeneration rate was 209 bit/s at a distance of 100 km.

The triangles show experimental QKD results using the conventional BB84QKD protocol with InGaAs avalanche photodiode detectors and a Poissonianlight source. The security analysis for this case considers a photonnumber splitting (PNS) attack. Line 306 is a corresponding theoreticalcalculation of the BB84 secure key generation rate. The DPS QKD results(both key generation rate and distance) are significantly better thanthe BB84 results. Further improvement in the demonstrated performance ofDPS QKD can be obtained by reducing the detector dark count rate (e.g.,by eliminating the spurious nonlinear interaction) and/or by reducingdetector timing jitter. In view of these possibilities for improvement,DPS QKD should be able to provide secure QKD over distances as large as300 km.

The invention claimed is:
 1. A method for quantum key distributioncomprising: a) providing pulses of coherent light having a time spacingT between adjacent pulses at a transmitter; b) phase modulating thepulses randomly at the transmitter such that each adjacent pair ofpulses is either in phase or out of phase, wherein the modulationapplied to each pulse is recorded to provide modulation times; c)adjusting the intensity of the pulses such that an average number ofphotons per transmitted pulse is a predetermined value μ less thanunity; d) transmitting the pulses from the transmitter to a receiverover a channel having a transmittance α; e) demodulating the receivedpulses by passing them through a two arm interferometer having a timedelay difference equal to T, wherein the interferometer has two outputs(O1 and O2), each output having a corresponding detector (D1 and D2); f)detecting demodulated pulses with the detectors to provide detectionevents, each detection event having a detection time, wherein detectorsD1 and D2 have quantum efficiencies η₁ and η₂ respectively; g) providingthe detection times to the transmitter; i) comparing the detection timesto the modulation times to deduce at the transmitter which of thedetectors in the receiver is associated with each of the detectionevents; wherein a secure key generation rate R_(s) is a predeterminedfunction of at least μ, α, η₁ and η₂; wherein R_(s) takes on a maximumvalue R_(max) for an optimal average number of photons per bit μ_(opt);wherein μ is predetermined such that R_(s) is greater than about 0.5R_(max).
 2. The method of claim 1, wherein μ is predetermined such thatR_(s) is greater than about 0.8 R_(max).
 3. The method of claim 1,wherein said detectors have equal quantum efficiency η.
 4. The method ofclaim 3, wherein t_(d) is a dead time of said detectors and wherein asifted key generation rate R_(ng) is given byR_(ng)=(μαη/T)exp(−μαηt_(d)/2T).
 5. The method of claim 4, wherein saidpredetermined function is given by R_(s)=R_(ng)(1−2μ(1−αη)).
 6. Themethod of claim 3, wherein said detectors have a dark count rate d andwherein R_(s) is a predetermined function of at least μ, α, η and d. 7.The method of claim 6, wherein t_(d) is a dead time of said detectorsand wherein a sifted key generation rate R_(ng) is given byR_(ng)=((μαη+2d)/T)exp(−(μαη+2d)t_(d)/2T).
 8. The method of claim 7wherein said predetermined function is given byR_(s)=R_(ng)(1−2μ(1−αη)).
 9. The method of claim 7 wherein said systemprovides a baseline error rate b and wherein a sifted key error rate eis given by$e = {\frac{{b\;\mu\;\alpha\;\eta} + d}{{\mu\;\alpha\;\eta} + {2\; d}}.}$10. The method of claim 9, wherein an error correcting algorithmprovides a correction factor f(e) to the Shannon limit, and wherein saidpredetermined function is given by R_(s)=R_(ng)(1−2μ(1−αη)−2e+f(e){elog₂e+(1−e)log₂(1−e)}).
 11. A system for quantum key distributioncomprising: a) a source of coherent light pulses in a transmitter,wherein a time spacing between adjacent pulses is T; b) a phasemodulator in the transmitter and capable of modulating the pulses suchthat each adjacent pair of pulses is either in phase or out of phase,wherein the modulation applied to each pulse is recorded to providemodulation times; c) an intensity adjuster in the transmitter andcapable of adjusting the intensity of the pulses such that an averagenumber of photons per transmitted pulse is a predetermined value μ lessthan unity; d) a channel having a transmittance α on which the pulsesare transmitted from the transmitter to a receiver; e) a two arminterferometer in the receiver having a time delay difference equal to Tand having two outputs (O1 and O2), wherein the interferometer iscapable of receiving the pulses from the channel and providingdemodulated pulses at outputs O1 and O2; f) two detectors (D1 and D2)coupled to outputs O1 and O2 respectively, wherein detectors D1 and D2have quantum efficiencies η₁ and η₂ respectively; wherein thedemodulated pulses are detected by the detectors to provide detectionevents, each detection event having a detection time; wherein thedetection times are provided to the transmitter; wherein the detectiontimes are compared to the modulation times to deduce at the transmitterwhich of the detectors in the receiver is associated with each of thedetection events; wherein a secure key generation rate R_(s) is apredetermined function of at least μ, α, η₁ and η₂; wherein R_(s) takeson a maximum value R_(max) for an optimal average number of photons perbit μ_(opt); wherein μ is predetermined such that R_(s) is greater thanabout 0.5 R_(max).
 12. The system of claim 11, wherein said channelincludes an optical fiber.
 13. The system of claim 11, wherein saiddetectors are selected from the group consisting of photodiodes,avalanche photodiodes, photomultiplier tubes, upconversion detectors,superconducting transition edge sensors, and solid statephotomultipliers.
 14. The system of claim 11, wherein said coherentlight is provided by an optical source selected from the groupconsisting of a pulsed laser and a CW laser combined with an opticalmodulator.